Another day, another WHMCS exploit.

[MannDude]

This was posted in IRC about 5 hours ago, I figured someone would have posted it here but I didn't see anything: http://security-geeks.blogspot.nl/2013/11/whmcs-5112-php-object-injectoin.html

 

I guess WHMCS exploits aren't news worthy anymore.

 

Anyhow, be safe out there y'all. It's a wild world.

 

[perennate]

Don't make people you don't trust admins and pretty sure you'll be safe from this one?

 

[wlanboy]

Don't make people you don't trust admins and pretty sure you'll be safe from this one?

Yup - minor issue.

 

[Coastercraze]

Don't make people you don't trust admins and pretty sure you'll be safe from this one?

Perhaps and watch your admin users just in case someone manages to uncover escalating themselves to admin. (unlikely, but you never know).

 

[drmike]

This exploit isn't well defined... Conceptually there... Where's my proof of concept?

WHMCS needs a radical overhaul already.

 

[scv]

Anybody running WHMCS should deploy a WAF in front. Only 'sane' way of going about it.

 

[Raymii]

This exploit isn't well defined... Conceptually there... Where's my proof of concept?

WHMCS needs a radical overhaul already.

Well, at least nobody can say this is an unresponsible disclosure which helps all the scriptkiddies.

 

[Patrick]

http://blog.whmcs.com/?t=81138

 

[RiotSecurity]

Well, it's just become usual now that there is an exploit.

 

[tchen]

This exploit isn't well defined... Conceptually there... Where's my proof of concept?

WHMCS needs a radical overhaul already.

It's pretty well defined.  But, it's only currently an issue if you give admin access and have third-party modules installed that are vulnerable to object injection.  The base install doesn't have the 'hook' to do much other than some internal bit twiddling in php   The immediate risk is low, but it's still something they should patch. 

More worrisome is that they have the same type of vulnerability in their generic cookie class - circa 5.2.7.  So far, that too is only being used in the admin pages.  Can't say anything about third-party modules though - as any of them could include it in client-facing pages.

 

[perennate]

This exploit isn't well defined... Conceptually there... Where's my proof of concept?

WHMCS needs a radical overhaul already.

How can you get more well defined? It includes the specific line numbers that relate to the vulnerability, and a list of files that use the exploitable function. A proof of concept wouldn't help define it better, just show one way to exploit it.

serialize/unserialize shouldn't be used for arrays; there's json_encode/json_decode for example.